From b72f3d0f3c6278521b70bbaaefb9fe81063619a2 Mon Sep 17 00:00:00 2001 From: ricolin Date: Wed, 23 Nov 2022 22:43:10 +0800 Subject: [PATCH] Avoid unrequired policy setup OpenStack services already moved to use policy in code. No need to have policy file at this point, at least no need to put default policy rule to policy.yaml file anymore. To put in duplicate rules, will cause unnecessay logs and process. Also not healthy for policy in code maintain as the `default` rules in openstack-helm might override actual default rules in code which we might not even mean to change it at all. Change-Id: I29ea57aa80444ed64673818e597c9ca346ba7b2f --- aodh/Chart.yaml | 2 +- aodh/values.yaml | 16 +-- ceilometer/Chart.yaml | 2 +- ceilometer/values.yaml | 14 +-- cinder/Chart.yaml | 2 +- cinder/values.yaml | 117 +----------------- designate/Chart.yaml | 2 +- designate/values.yaml | 107 +--------------- glance/Chart.yaml | 2 +- glance/values.yaml | 56 +-------- heat/Chart.yaml | 2 +- heat/values.yaml | 90 +------------- magnum/Chart.yaml | 2 +- magnum/values.yaml | 44 +------ mistral/Chart.yaml | 2 +- mistral/values.yaml | 53 +------- neutron/Chart.yaml | 2 +- neutron/values.yaml | 191 +---------------------------- placement/Chart.yaml | 2 +- placement/values.yaml | 39 +----- releasenotes/notes/aodh.yaml | 1 + releasenotes/notes/ceilometer.yaml | 1 + releasenotes/notes/cinder.yaml | 1 + releasenotes/notes/designate.yaml | 1 + releasenotes/notes/glance.yaml | 1 + releasenotes/notes/heat.yaml | 1 + releasenotes/notes/magnum.yaml | 1 + releasenotes/notes/mistral.yaml | 1 + releasenotes/notes/neutron.yaml | 1 + releasenotes/notes/placement.yaml | 1 + releasenotes/notes/senlin.yaml | 1 + senlin/Chart.yaml | 2 +- senlin/values.yaml | 48 +------- 33 files changed, 33 insertions(+), 775 deletions(-) diff --git a/aodh/Chart.yaml b/aodh/Chart.yaml index 421ecc5395..2d7d5f8525 100644 --- a/aodh/Chart.yaml +++ b/aodh/Chart.yaml @@ -16,7 +16,7 @@ apiVersion: v1 appVersion: v1.0.0 description: Openstack-Helm Aodh name: aodh -version: 0.2.5 +version: 0.2.6 home: https://docs.openstack.org/aodh/latest/ sources: - https://opendev.org/openstack/aodh diff --git a/aodh/values.yaml b/aodh/values.yaml index 9d2fe68ec0..f8d5eabaed 100644 --- a/aodh/values.yaml +++ b/aodh/values.yaml @@ -449,21 +449,7 @@ conf: filter:http_proxy_to_wsgi: paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory oslo_config_project: aodh - policy: - context_is_admin: 'role:admin' - segregation: 'rule:context_is_admin' - admin_or_owner: 'rule:context_is_admin or project_id:%(project_id)s' - default: 'rule:admin_or_owner' - telemetry:get_alarm: 'rule:admin_or_owner' - telemetry:get_alarms: 'rule:admin_or_owner' - telemetry:query_alarm: 'rule:admin_or_owner' - telemetry:create_alarm: '' - telemetry:change_alarm: 'rule:admin_or_owner' - telemetry:delete_alarm: 'rule:admin_or_owner' - telemetry:get_alarm_state: 'rule:admin_or_owner' - telemetry:change_alarm_state: 'rule:admin_or_owner' - telemetry:alarm_history: 'rule:admin_or_owner' - telemetry:query_alarm_history: 'rule:admin_or_owner' + policy: {} aodh: DEFAULT: debug: false diff --git a/ceilometer/Chart.yaml b/ceilometer/Chart.yaml index ea302c0085..845dad68f7 100644 --- a/ceilometer/Chart.yaml +++ b/ceilometer/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Ceilometer name: ceilometer -version: 0.2.6 +version: 0.2.7 home: https://docs.openstack.org/ceilometer/latest/ sources: - https://opendev.org/openstack/ceilometer diff --git a/ceilometer/values.yaml b/ceilometer/values.yaml index 0e146346fd..1106192477 100644 --- a/ceilometer/values.yaml +++ b/ceilometer/values.yaml @@ -1450,19 +1450,7 @@ conf: type: "gauge" publishers: - notifier:// - policy: - 'context_is_admin': 'role:admin' - 'segregation': 'rule:context_is_admin' - 'telemetry:compute_statistics': '' - 'telemetry:create_samples': '' - 'telemetry:events:index': '' - 'telemetry:events:show': '' - 'telemetry:get_meters': '' - 'telemetry:get_resource': '' - 'telemetry:get_resources': '' - 'telemetry:get_sample': '' - 'telemetry:get_samples': '' - 'telemetry:query_sample': '' + policy: {} audit_api_map: DEFAULT: target_endpoint_type: None diff --git a/cinder/Chart.yaml b/cinder/Chart.yaml index 435b975c9a..e20765961a 100644 --- a/cinder/Chart.yaml +++ b/cinder/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Cinder name: cinder -version: 0.3.1 +version: 0.3.2 home: https://docs.openstack.org/cinder/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Cinder/OpenStack_Project_Cinder_vertical.png sources: diff --git a/cinder/values.yaml b/cinder/values.yaml index 1036f4d22a..7633d97739 100644 --- a/cinder/values.yaml +++ b/cinder/values.yaml @@ -468,122 +468,7 @@ conf: filter:audit: paste.filter_factory: keystonemiddleware.audit:filter_factory audit_map_file: /etc/cinder/api_audit_map.conf - policy: - context_is_admin: role:admin - admin_or_owner: is_admin:True or project_id:%(project_id)s - default: rule:admin_or_owner - admin_api: is_admin:True - volume:create: '' - volume:delete: rule:admin_or_owner - volume:get: rule:admin_or_owner - volume:get_all: rule:admin_or_owner - volume:get_volume_metadata: rule:admin_or_owner - volume:create_volume_metadata: rule:admin_or_owner - volume:delete_volume_metadata: rule:admin_or_owner - volume:update_volume_metadata: rule:admin_or_owner - volume:get_volume_admin_metadata: rule:admin_api - volume:update_volume_admin_metadata: rule:admin_api - volume:get_snapshot: rule:admin_or_owner - volume:get_all_snapshots: rule:admin_or_owner - volume:create_snapshot: rule:admin_or_owner - volume:delete_snapshot: rule:admin_or_owner - volume:update_snapshot: rule:admin_or_owner - volume:get_snapshot_metadata: rule:admin_or_owner - volume:delete_snapshot_metadata: rule:admin_or_owner - volume:update_snapshot_metadata: rule:admin_or_owner - volume:extend: rule:admin_or_owner - volume:update_readonly_flag: rule:admin_or_owner - volume:retype: rule:admin_or_owner - volume:update: rule:admin_or_owner - volume_extension:types_manage: rule:admin_api - volume_extension:types_extra_specs: rule:admin_api - volume_extension:access_types_qos_specs_id: rule:admin_api - volume_extension:access_types_extra_specs: rule:admin_api - volume_extension:volume_type_access: rule:admin_or_owner - volume_extension:volume_type_access:addProjectAccess: rule:admin_api - volume_extension:volume_type_access:removeProjectAccess: rule:admin_api - volume_extension:volume_type_encryption: rule:admin_api - volume_extension:volume_encryption_metadata: rule:admin_or_owner - volume_extension:extended_snapshot_attributes: rule:admin_or_owner - volume_extension:volume_image_metadata: rule:admin_or_owner - volume_extension:quotas:show: '' - volume_extension:quotas:update: rule:admin_api - volume_extension:quotas:delete: rule:admin_api - volume_extension:quota_classes: rule:admin_api - volume_extension:quota_classes:validate_setup_for_nested_quota_use: rule:admin_api - volume_extension:volume_admin_actions:reset_status: rule:admin_api - volume_extension:snapshot_admin_actions:reset_status: rule:admin_api - volume_extension:backup_admin_actions:reset_status: rule:admin_api - volume_extension:volume_admin_actions:force_delete: rule:admin_api - volume_extension:volume_admin_actions:force_detach: rule:admin_api - volume_extension:snapshot_admin_actions:force_delete: rule:admin_api - volume_extension:backup_admin_actions:force_delete: rule:admin_api - volume_extension:volume_admin_actions:migrate_volume: rule:admin_api - volume_extension:volume_admin_actions:migrate_volume_completion: rule:admin_api - volume_extension:volume_actions:upload_public: rule:admin_api - volume_extension:volume_actions:upload_image: rule:admin_or_owner - volume_extension:volume_host_attribute: rule:admin_api - volume_extension:volume_tenant_attribute: rule:admin_or_owner - volume_extension:volume_mig_status_attribute: rule:admin_api - volume_extension:hosts: rule:admin_api - volume_extension:services:index: rule:admin_api - volume_extension:services:update: rule:admin_api - volume_extension:volume_manage: rule:admin_api - volume_extension:volume_unmanage: rule:admin_api - volume_extension:list_manageable: rule:admin_api - volume_extension:capabilities: rule:admin_api - volume:create_transfer: rule:admin_or_owner - volume:accept_transfer: '' - volume:delete_transfer: rule:admin_or_owner - volume:get_transfer: rule:admin_or_owner - volume:get_all_transfers: rule:admin_or_owner - volume_extension:replication:promote: rule:admin_api - volume_extension:replication:reenable: rule:admin_api - volume:failover_host: rule:admin_api - volume:freeze_host: rule:admin_api - volume:thaw_host: rule:admin_api - backup:create: '' - backup:delete: rule:admin_or_owner - backup:get: rule:admin_or_owner - backup:get_all: rule:admin_or_owner - backup:restore: rule:admin_or_owner - backup:backup-import: rule:admin_api - backup:backup-export: rule:admin_api - backup:update: rule:admin_or_owner - snapshot_extension:snapshot_actions:update_snapshot_status: '' - snapshot_extension:snapshot_manage: rule:admin_api - snapshot_extension:snapshot_unmanage: rule:admin_api - snapshot_extension:list_manageable: rule:admin_api - consistencygroup:create: group:nobody - consistencygroup:delete: group:nobody - consistencygroup:update: group:nobody - consistencygroup:get: group:nobody - consistencygroup:get_all: group:nobody - consistencygroup:create_cgsnapshot: group:nobody - consistencygroup:delete_cgsnapshot: group:nobody - consistencygroup:get_cgsnapshot: group:nobody - consistencygroup:get_all_cgsnapshots: group:nobody - group:group_types_manage: rule:admin_api - group:group_types_specs: rule:admin_api - group:access_group_types_specs: rule:admin_api - group:group_type_access: rule:admin_or_owner - group:create: '' - group:delete: rule:admin_or_owner - group:update: rule:admin_or_owner - group:get: rule:admin_or_owner - group:get_all: rule:admin_or_owner - group:create_group_snapshot: '' - group:delete_group_snapshot: rule:admin_or_owner - group:update_group_snapshot: rule:admin_or_owner - group:get_group_snapshot: rule:admin_or_owner - group:get_all_group_snapshots: rule:admin_or_owner - scheduler_extension:scheduler_stats:get_pools: rule:admin_api - message:delete: rule:admin_or_owner - message:get: rule:admin_or_owner - message:get_all: rule:admin_or_owner - clusters:get: rule:admin_api - clusters:get_all: rule:admin_api - clusters:update: rule:admin_api + policy: {} api_audit_map: DEFAULT: target_endpoint_type: None diff --git a/designate/Chart.yaml b/designate/Chart.yaml index 8f3971e1c8..56dc87027f 100644 --- a/designate/Chart.yaml +++ b/designate/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Designate name: designate -version: 0.2.7 +version: 0.2.8 home: https://docs.openstack.org/designate/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Designate/OpenStack_Project_Designate_vertical.jpg sources: diff --git a/designate/values.yaml b/designate/values.yaml index 7abd43d54e..ea2c2aaca0 100644 --- a/designate/values.yaml +++ b/designate/values.yaml @@ -441,112 +441,7 @@ conf: paste.filter_factory: designate.api.middleware:FaultWrapperMiddleware.factory filter:validation_API_v2: paste.filter_factory: designate.api.middleware:APIv2ValidationErrorMiddleware.factory - policy: - admin: role:admin or is_admin:True - primary_zone: target.zone_type:SECONDARY - owner: tenant:%(tenant_id)s - admin_or_owner: rule:admin or rule:owner - target: tenant:%(target_tenant_id)s - owner_or_target: rule:target or rule:owner - admin_or_owner_or_target: rule:owner_or_target or rule:admin - admin_or_target: rule:admin or rule:target - zone_primary_or_admin: ('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True) - default: rule:admin_or_owner - all_tenants: rule:admin - edit_managed_records: rule:admin - use_low_ttl: rule:admin - get_quotas: rule:admin_or_owner - get_quota: rule:admin_or_owner - set_quota: rule:admin - reset_quotas: rule:admin - create_tld: rule:admin - find_tlds: rule:admin - get_tld: rule:admin - update_tld: rule:admin - delete_tld: rule:admin - create_tsigkey: rule:admin - find_tsigkeys: rule:admin - get_tsigkey: rule:admin - update_tsigkey: rule:admin - delete_tsigkey: rule:admin - find_tenants: rule:admin - get_tenant: rule:admin - count_tenants: rule:admin - create_zone: rule:admin_or_owner - get_zones: rule:admin_or_owner - get_zone: rule:admin_or_owner - get_zone_servers: rule:admin_or_owner - find_zones: rule:admin_or_owner - find_zone: rule:admin_or_owner - update_zone: rule:admin_or_owner - delete_zone: rule:admin_or_owner - xfr_zone: rule:admin_or_owner - abandon_zone: rule:admin - count_zones: rule:admin_or_owner - count_zones_pending_notify: rule:admin_or_owner - purge_zones: rule:admin - touch_zone: rule:admin_or_owner - create_recordset: rule:zone_primary_or_admin - get_recordsets: rule:admin_or_owner - get_recordset: rule:admin_or_owner - find_recordsets: rule:admin_or_owner - find_recordset: rule:admin_or_owner - update_recordset: rule:zone_primary_or_admin - delete_recordset: rule:zone_primary_or_admin - count_recordset: rule:admin_or_owner - create_record: rule:admin_or_owner - get_records: rule:admin_or_owner - get_record: rule:admin_or_owner - find_records: rule:admin_or_owner - find_record: rule:admin_or_owner - update_record: rule:admin_or_owner - delete_record: rule:admin_or_owner - count_records: rule:admin_or_owner - use_sudo: rule:admin - create_blacklist: rule:admin - find_blacklist: rule:admin - find_blacklists: rule:admin - get_blacklist: rule:admin - update_blacklist: rule:admin - delete_blacklist: rule:admin - use_blacklisted_zone: rule:admin - create_pool: rule:admin - find_pools: rule:admin - find_pool: rule:admin - get_pool: rule:admin - update_pool: rule:admin - delete_pool: rule:admin - zone_create_forced_pool: rule:admin - diagnostics_ping: rule:admin - diagnostics_sync_zones: rule:admin - diagnostics_sync_zone: rule:admin - diagnostics_sync_record: rule:admin - create_zone_transfer_request: rule:admin_or_owner - get_zone_transfer_request: rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s - get_zone_transfer_request_detailed: rule:admin_or_owner - find_zone_transfer_requests: '@' - find_zone_transfer_request: '@' - update_zone_transfer_request: rule:admin_or_owner - delete_zone_transfer_request: rule:admin_or_owner - create_zone_transfer_accept: rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s - get_zone_transfer_accept: rule:admin_or_owner - find_zone_transfer_accepts: rule:admin - find_zone_transfer_accept: rule:admin - update_zone_transfer_accept: rule:admin - delete_zone_transfer_accept: rule:admin - create_zone_import: rule:admin_or_owner - find_zone_imports: rule:admin_or_owner - get_zone_import: rule:admin_or_owner - update_zone_import: rule:admin_or_owner - delete_zone_import: rule:admin_or_owner - zone_export: rule:admin_or_owner - create_zone_export: rule:admin_or_owner - find_zone_exports: rule:admin_or_owner - get_zone_export: rule:admin_or_owner - update_zone_export: rule:admin_or_owner - find_service_status: rule:admin - find_service_statuses: rule:admin - update_service_service_status: rule:admin + policy: {} designate: DEFAULT: debug: false diff --git a/glance/Chart.yaml b/glance/Chart.yaml index 6404c73d7d..7ce28411a1 100644 --- a/glance/Chart.yaml +++ b/glance/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Glance name: glance -version: 0.4.0 +version: 0.4.1 home: https://docs.openstack.org/glance/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Glance/OpenStack_Project_Glance_vertical.png sources: diff --git a/glance/values.yaml b/glance/values.yaml index dfaac1521f..69f703e11e 100644 --- a/glance/values.yaml +++ b/glance/values.yaml @@ -189,61 +189,7 @@ conf: oslo_config_program: glance-api filter:http_proxy_to_wsgi: paste.filter_factory: oslo_middleware:HTTPProxyToWSGI.factory - policy: - metadef_default: '' - metadef_admin: 'role:admin' - context_is_admin: role:admin - default: role:admin - add_image: '' - delete_image: '' - get_image: '' - get_images: '' - modify_image: '' - publicize_image: role:admin - copy_from: '' - download_image: '' - upload_image: '' - delete_image_location: '' - get_image_location: '' - set_image_location: '' - add_member: '' - delete_member: '' - get_member: '' - get_members: '' - modify_member: '' - manage_image_cache: role:admin - get_task: role:admin - get_tasks: role:admin - add_task: role:admin - modify_task: role:admin - deactivate: '' - reactivate: '' - get_metadef_namespace: rule:metadef_default - get_metadef_namespaces: rule:metadef_default - modify_metadef_namespace: rule:metadef_admin - add_metadef_namespace: rule:metadef_admin - delete_metadef_namespace: rule:metadef_admin - get_metadef_object: rule:metadef_default - get_metadef_objects: rule:metadef_default - modify_metadef_object: rule:metadef_admin - add_metadef_object: rule:metadef_admin - delete_metadef_object: rule:metadef_admin - list_metadef_resource_types: rule:metadef_default - get_metadef_resource_type: rule:metadef_default - add_metadef_resource_type_association: rule:metadef_admin - remove_metadef_resource_type_association: rule:metadef_admin - get_metadef_property: rule:metadef_default - get_metadef_properties: rule:metadef_default - modify_metadef_property: rule:metadef_admin - add_metadef_property: rule:metadef_admin - remove_metadef_property: rule:metadef_admin - get_metadef_tag: rule:metadef_default - get_metadef_tags: rule:metadef_default - modify_metadef_tag: rule:metadef_admin - add_metadef_tag: rule:metadef_admin - add_metadef_tags: rule:metadef_admin - delete_metadef_tag: rule:metadef_admin - delete_metadef_tags: rule:metadef_admin + policy: {} glance_sudoers: | # This sudoers file supports rootwrap for both Kolla and LOCI Images. Defaults !requiretty diff --git a/heat/Chart.yaml b/heat/Chart.yaml index 97cfd98293..05cd5adc25 100644 --- a/heat/Chart.yaml +++ b/heat/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Heat name: heat -version: 0.3.0 +version: 0.3.1 home: https://docs.openstack.org/heat/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Heat/OpenStack_Project_Heat_vertical.png sources: diff --git a/heat/values.yaml b/heat/values.yaml index 3dd9fdac09..555af53a33 100644 --- a/heat/values.yaml +++ b/heat/values.yaml @@ -340,95 +340,7 @@ conf: paste.filter_factory: oslo_middleware.request_id:RequestId.factory filter:osprofiler: paste.filter_factory: osprofiler.web:WsgiMiddleware.factory - policy: - context_is_admin: role:admin and is_admin_project:True - project_admin: role:admin - deny_stack_user: not role:heat_stack_user - deny_everybody: "!" - cloudformation:ListStacks: rule:deny_stack_user - cloudformation:CreateStack: rule:deny_stack_user - cloudformation:DescribeStacks: rule:deny_stack_user - cloudformation:DeleteStack: rule:deny_stack_user - cloudformation:UpdateStack: rule:deny_stack_user - cloudformation:CancelUpdateStack: rule:deny_stack_user - cloudformation:DescribeStackEvents: rule:deny_stack_user - cloudformation:ValidateTemplate: rule:deny_stack_user - cloudformation:GetTemplate: rule:deny_stack_user - cloudformation:EstimateTemplateCost: rule:deny_stack_user - cloudformation:DescribeStackResource: '' - cloudformation:DescribeStackResources: rule:deny_stack_user - cloudformation:ListStackResources: rule:deny_stack_user - cloudwatch:DeleteAlarms: rule:deny_stack_user - cloudwatch:DescribeAlarmHistory: rule:deny_stack_user - cloudwatch:DescribeAlarms: rule:deny_stack_user - cloudwatch:DescribeAlarmsForMetric: rule:deny_stack_user - cloudwatch:DisableAlarmActions: rule:deny_stack_user - cloudwatch:EnableAlarmActions: rule:deny_stack_user - cloudwatch:GetMetricStatistics: rule:deny_stack_user - cloudwatch:ListMetrics: rule:deny_stack_user - cloudwatch:PutMetricAlarm: rule:deny_stack_user - cloudwatch:PutMetricData: '' - cloudwatch:SetAlarmState: rule:deny_stack_user - actions:action: rule:deny_stack_user - build_info:build_info: rule:deny_stack_user - events:index: rule:deny_stack_user - events:show: rule:deny_stack_user - resource:index: rule:deny_stack_user - resource:metadata: '' - resource:signal: '' - resource:mark_unhealthy: rule:deny_stack_user - resource:show: rule:deny_stack_user - stacks:abandon: rule:deny_stack_user - stacks:create: rule:deny_stack_user - stacks:delete: rule:deny_stack_user - stacks:detail: rule:deny_stack_user - stacks:export: rule:deny_stack_user - stacks:generate_template: rule:deny_stack_user - stacks:global_index: rule:deny_everybody - stacks:index: rule:deny_stack_user - stacks:list_resource_types: rule:deny_stack_user - stacks:list_template_versions: rule:deny_stack_user - stacks:list_template_functions: rule:deny_stack_user - stacks:lookup: '' - stacks:preview: rule:deny_stack_user - stacks:resource_schema: rule:deny_stack_user - stacks:show: rule:deny_stack_user - stacks:template: rule:deny_stack_user - stacks:environment: rule:deny_stack_user - stacks:files: rule:deny_stack_user - stacks:update: rule:deny_stack_user - stacks:update_patch: rule:deny_stack_user - stacks:preview_update: rule:deny_stack_user - stacks:preview_update_patch: rule:deny_stack_user - stacks:validate_template: rule:deny_stack_user - stacks:snapshot: rule:deny_stack_user - stacks:show_snapshot: rule:deny_stack_user - stacks:delete_snapshot: rule:deny_stack_user - stacks:list_snapshots: rule:deny_stack_user - stacks:restore_snapshot: rule:deny_stack_user - stacks:list_outputs: rule:deny_stack_user - stacks:show_output: rule:deny_stack_user - software_configs:global_index: rule:deny_everybody - software_configs:index: rule:deny_stack_user - software_configs:create: rule:deny_stack_user - software_configs:show: rule:deny_stack_user - software_configs:delete: rule:deny_stack_user - software_deployments:index: rule:deny_stack_user - software_deployments:create: rule:deny_stack_user - software_deployments:show: rule:deny_stack_user - software_deployments:update: rule:deny_stack_user - software_deployments:delete: rule:deny_stack_user - software_deployments:metadata: '' - service:index: rule:context_is_admin - resource_types:OS::Nova::Flavor: rule:project_admin - resource_types:OS::Cinder::EncryptedVolumeType: rule:project_admin - resource_types:OS::Cinder::VolumeType: rule:project_admin - resource_types:OS::Cinder::Quota: rule:project_admin - resource_types:OS::Manila::ShareType: rule:project_admin - resource_types:OS::Neutron::QoSPolicy: rule:project_admin - resource_types:OS::Neutron::QoSBandwidthLimitRule: rule:project_admin - resource_types:OS::Nova::HostAggregate: rule:project_admin - resource_types:OS::Cinder::QoSSpecs: rule:project_admin + policy: {} heat: DEFAULT: log_config_append: /etc/heat/logging.conf diff --git a/magnum/Chart.yaml b/magnum/Chart.yaml index 3f4ccf6d8d..37bdece4b4 100644 --- a/magnum/Chart.yaml +++ b/magnum/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Magnum name: magnum -version: 0.2.7 +version: 0.2.8 home: https://docs.openstack.org/magnum/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Magnum/OpenStack_Project_Magnum_vertical.png sources: diff --git a/magnum/values.yaml b/magnum/values.yaml index f4d042a192..4280f0babf 100644 --- a/magnum/values.yaml +++ b/magnum/values.yaml @@ -68,49 +68,7 @@ conf: paste.filter_factory: oslo_middleware:Healthcheck.factory backends: disable_by_file disable_by_file_path: /etc/magnum/healthcheck_disable - policy: - context_is_admin: role:admin - admin_or_owner: is_admin:True or project_id:%(project_id)s - default: rule:admin_or_owner - admin_api: rule:context_is_admin - admin_or_user: is_admin:True or user_id:%(user_id)s - cluster_user: user_id:%(trustee_user_id)s - deny_cluster_user: not domain_id:%(trustee_domain_id)s - bay:create: rule:deny_cluster_user - bay:delete: rule:deny_cluster_user - bay:detail: rule:deny_cluster_user - bay:get: rule:deny_cluster_user - bay:get_all: rule:deny_cluster_user - bay:update: rule:deny_cluster_user - baymodel:create: rule:deny_cluster_user - baymodel:delete: rule:deny_cluster_user - baymodel:detail: rule:deny_cluster_user - baymodel:get: rule:deny_cluster_user - baymodel:get_all: rule:deny_cluster_user - baymodel:update: rule:deny_cluster_user - baymodel:publish: rule:admin_or_owner - cluster:create: rule:deny_cluster_user - cluster:delete: rule:deny_cluster_user - cluster:detail: rule:deny_cluster_user - cluster:get: rule:deny_cluster_user - cluster:get_all: rule:deny_cluster_user - cluster:update: rule:deny_cluster_user - clustertemplate:create: rule:deny_cluster_user - clustertemplate:delete: rule:deny_cluster_user - clustertemplate:detail: rule:deny_cluster_user - clustertemplate:get: rule:deny_cluster_user - clustertemplate:get_all: rule:deny_cluster_user - clustertemplate:update: rule:deny_cluster_user - clustertemplate:publish: rule:admin_or_owner - rc:create: rule:default - rc:delete: rule:default - rc:detail: rule:default - rc:get: rule:default - rc:get_all: rule:default - rc:update: rule:default - certificate:create: rule:admin_or_user or rule:cluster_user - certificate:get: rule:admin_or_user or rule:cluster_user - magnum-service:get_all: rule:admin_api + policy: {} magnum: DEFAULT: log_config_append: /etc/magnum/logging.conf diff --git a/mistral/Chart.yaml b/mistral/Chart.yaml index 4ed1e11af3..21af26f770 100644 --- a/mistral/Chart.yaml +++ b/mistral/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Mistral name: mistral -version: 0.2.6 +version: 0.2.7 home: https://docs.openstack.org/mistral/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Mistral/OpenStack_Project_Mistral_vertical.png sources: diff --git a/mistral/values.yaml b/mistral/values.yaml index dd65149852..e22e2530a7 100644 --- a/mistral/values.yaml +++ b/mistral/values.yaml @@ -416,58 +416,7 @@ conf: - name: /tmp/rally-jobs/mistral_params.json template: | {"env": {"env_param": "env_param_value"}} - policy: - admin_only: is_admin:True - admin_or_owner: is_admin:True or project_id:%(project_id)s - default: rule:admin_or_owner - action_executions:delete: rule:admin_or_owner - action_execution:create: rule:admin_or_owner - action_executions:get: rule:admin_or_owner - action_executions:list: rule:admin_or_owner - action_executions:update: rule:admin_or_owner - actions:create: rule:admin_or_owner - actions:delete: rule:admin_or_owner - actions:get: rule:admin_or_owner - actions:list: rule:admin_or_owner - actions:update: rule:admin_or_owner - cron_triggers:create: rule:admin_or_owner - cron_triggers:delete: rule:admin_or_owner - cron_triggers:get: rule:admin_or_owner - cron_triggers:list: rule:admin_or_owner - environments:create: rule:admin_or_owner - environments:delete: rule:admin_or_owner - environments:get: rule:admin_or_owner - environments:list: rule:admin_or_owner - environments:update: rule:admin_or_owner - executions:create: rule:admin_or_owner - executions:delete: rule:admin_or_owner - executions:get: rule:admin_or_owner - executions:list: rule:admin_or_owner - executions:update: rule:admin_or_owner - members:create: rule:admin_or_owner - members:delete: rule:admin_or_owner - members:get: rule:admin_or_owner - members:list: rule:admin_or_owner - members:update: rule:admin_or_owner - services:list: rule:admin_or_owner - tasks:get: rule:admin_or_owner - tasks:list: rule:admin_or_owner - tasks:update: rule:admin_or_owner - workbooks:create: rule:admin_or_owner - workbooks:delete: rule:admin_or_owner - workbooks:get: rule:admin_or_owner - workbooks:list: rule:admin_or_owner - workbooks:update: rule:admin_or_owner - workflows:create: rule:admin_or_owner - workflows:delete: rule:admin_or_owner - workflows:get: rule:admin_or_owner - workflows:list: rule:admin_or_owner - workflows:update: rule:admin_or_owner - event_triggers:create: rule:admin_or_owner - event_triggers:delete: rule:admin_or_owner - event_triggers:get: rule:admin_or_owner - event_triggers:list: rule:admin_or_owner - event_triggers:update: rule:admin_or_owner + policy: {} mistral: DEFAULT: log_config_append: /etc/mistral/logging.conf diff --git a/neutron/Chart.yaml b/neutron/Chart.yaml index a324603cd8..1c7435b86f 100644 --- a/neutron/Chart.yaml +++ b/neutron/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Neutron name: neutron -version: 0.3.0 +version: 0.3.1 home: https://docs.openstack.org/neutron/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Neutron/OpenStack_Project_Neutron_vertical.png sources: diff --git a/neutron/values.yaml b/neutron/values.yaml index f1eb8d1000..cc2d441a2b 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -1163,196 +1163,7 @@ conf: paste.app_factory: neutron.api.v2.router:APIRouter.factory filter:osprofiler: paste.filter_factory: osprofiler.web:WsgiMiddleware.factory - policy: - context_is_admin: role:admin - owner: tenant_id:%(tenant_id)s - admin_or_owner: rule:context_is_admin or rule:owner - context_is_advsvc: role:advsvc - admin_or_network_owner: rule:context_is_admin or tenant_id:%(network:tenant_id)s - admin_owner_or_network_owner: rule:owner or rule:admin_or_network_owner - admin_only: rule:context_is_admin - regular_user: '' - shared: field:networks:shared=True - shared_subnetpools: field:subnetpools:shared=True - shared_address_scopes: field:address_scopes:shared=True - external: field:networks:router:external=True - default: rule:admin_or_owner - create_subnet: rule:admin_or_network_owner - create_subnet:segment_id: rule:admin_only - create_subnet:service_types: rule:admin_only - get_subnet: rule:admin_or_owner or rule:shared - get_subnet:segment_id: rule:admin_only - update_subnet: rule:admin_or_network_owner - update_subnet:service_types: rule:admin_only - delete_subnet: rule:admin_or_network_owner - create_subnetpool: '' - create_subnetpool:shared: rule:admin_only - create_subnetpool:is_default: rule:admin_only - get_subnetpool: rule:admin_or_owner or rule:shared_subnetpools - update_subnetpool: rule:admin_or_owner - update_subnetpool:is_default: rule:admin_only - delete_subnetpool: rule:admin_or_owner - create_address_scope: '' - create_address_scope:shared: rule:admin_only - get_address_scope: rule:admin_or_owner or rule:shared_address_scopes - update_address_scope: rule:admin_or_owner - update_address_scope:shared: rule:admin_only - delete_address_scope: rule:admin_or_owner - create_network: '' - get_network: rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc - get_network:router:external: rule:regular_user - get_network:segments: rule:admin_only - get_network:provider:network_type: rule:admin_only - get_network:provider:physical_network: rule:admin_only - get_network:provider:segmentation_id: rule:admin_only - get_network:queue_id: rule:admin_only - get_network_ip_availabilities: rule:admin_only - get_network_ip_availability: rule:admin_only - create_network:shared: rule:admin_only - create_network:router:external: rule:admin_only - create_network:is_default: rule:admin_only - create_network:segments: rule:admin_only - create_network:provider:network_type: rule:admin_only - create_network:provider:physical_network: rule:admin_only - create_network:provider:segmentation_id: rule:admin_only - update_network: rule:admin_or_owner - update_network:segments: rule:admin_only - update_network:shared: rule:admin_only - update_network:provider:network_type: rule:admin_only - update_network:provider:physical_network: rule:admin_only - update_network:provider:segmentation_id: rule:admin_only - update_network:router:external: rule:admin_only - delete_network: rule:admin_or_owner - create_segment: rule:admin_only - get_segment: rule:admin_only - update_segment: rule:admin_only - delete_segment: rule:admin_only - network_device: 'field:port:device_owner=~^network:' - create_port: '' - create_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner - create_port:mac_address: rule:context_is_advsvc or rule:admin_or_network_owner - create_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner - create_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner - create_port:binding:host_id: rule:admin_only - create_port:binding:profile: rule:admin_only - create_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner - create_port:allowed_address_pairs: rule:admin_or_network_owner - get_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner - get_port:queue_id: rule:admin_only - get_port:binding:vif_type: rule:admin_only - get_port:binding:vif_details: rule:admin_only - get_port:binding:host_id: rule:admin_only - get_port:binding:profile: rule:admin_only - update_port: rule:admin_or_owner or rule:context_is_advsvc - update_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner - update_port:mac_address: rule:admin_only or rule:context_is_advsvc - update_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner - update_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner - update_port:binding:host_id: rule:admin_only - update_port:binding:profile: rule:admin_only - update_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner - update_port:allowed_address_pairs: rule:admin_or_network_owner - delete_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner - get_router:ha: rule:admin_only - create_router: rule:regular_user - create_router:external_gateway_info:enable_snat: rule:admin_only - create_router:distributed: rule:admin_only - create_router:ha: rule:admin_only - get_router: rule:admin_or_owner - get_router:distributed: rule:admin_only - update_router:external_gateway_info:enable_snat: rule:admin_only - update_router:distributed: rule:admin_only - update_router:ha: rule:admin_only - delete_router: rule:admin_or_owner - add_router_interface: rule:admin_or_owner - remove_router_interface: rule:admin_or_owner - create_router:external_gateway_info:external_fixed_ips: rule:admin_only - update_router:external_gateway_info:external_fixed_ips: rule:admin_only - insert_rule: rule:admin_or_owner - remove_rule: rule:admin_or_owner - create_qos_queue: rule:admin_only - get_qos_queue: rule:admin_only - update_agent: rule:admin_only - delete_agent: rule:admin_only - get_agent: rule:admin_only - create_dhcp-network: rule:admin_only - delete_dhcp-network: rule:admin_only - get_dhcp-networks: rule:admin_only - create_l3-router: rule:admin_only - delete_l3-router: rule:admin_only - get_l3-routers: rule:admin_only - get_dhcp-agents: rule:admin_only - get_l3-agents: rule:admin_only - get_loadbalancer-agent: rule:admin_only - get_loadbalancer-pools: rule:admin_only - get_agent-loadbalancers: rule:admin_only - get_loadbalancer-hosting-agent: rule:admin_only - create_floatingip: rule:regular_user - create_floatingip:floating_ip_address: rule:admin_only - update_floatingip: rule:admin_or_owner - delete_floatingip: rule:admin_or_owner - get_floatingip: rule:admin_or_owner - create_network_profile: rule:admin_only - update_network_profile: rule:admin_only - delete_network_profile: rule:admin_only - get_network_profiles: '' - get_network_profile: '' - update_policy_profiles: rule:admin_only - get_policy_profiles: '' - get_policy_profile: '' - create_metering_label: rule:admin_only - delete_metering_label: rule:admin_only - get_metering_label: rule:admin_only - create_metering_label_rule: rule:admin_only - delete_metering_label_rule: rule:admin_only - get_metering_label_rule: rule:admin_only - get_service_provider: rule:regular_user - get_lsn: rule:admin_only - create_lsn: rule:admin_only - create_flavor: rule:admin_only - update_flavor: rule:admin_only - delete_flavor: rule:admin_only - get_flavors: rule:regular_user - get_flavor: rule:regular_user - create_service_profile: rule:admin_only - update_service_profile: rule:admin_only - delete_service_profile: rule:admin_only - get_service_profiles: rule:admin_only - get_service_profile: rule:admin_only - get_policy: rule:regular_user - create_policy: rule:admin_only - update_policy: rule:admin_only - delete_policy: rule:admin_only - get_policy_bandwidth_limit_rule: rule:regular_user - create_policy_bandwidth_limit_rule: rule:admin_only - delete_policy_bandwidth_limit_rule: rule:admin_only - update_policy_bandwidth_limit_rule: rule:admin_only - get_policy_dscp_marking_rule: rule:regular_user - create_policy_dscp_marking_rule: rule:admin_only - delete_policy_dscp_marking_rule: rule:admin_only - update_policy_dscp_marking_rule: rule:admin_only - get_rule_type: rule:regular_user - get_policy_minimum_bandwidth_rule: rule:regular_user - create_policy_minimum_bandwidth_rule: rule:admin_only - delete_policy_minimum_bandwidth_rule: rule:admin_only - update_policy_minimum_bandwidth_rule: rule:admin_only - restrict_wildcard: "(not field:rbac_policy:target_tenant=*) or rule:admin_only" - create_rbac_policy: '' - create_rbac_policy:target_tenant: rule:restrict_wildcard - update_rbac_policy: rule:admin_or_owner - update_rbac_policy:target_tenant: rule:restrict_wildcard and rule:admin_or_owner - get_rbac_policy: rule:admin_or_owner - delete_rbac_policy: rule:admin_or_owner - create_flavor_service_profile: rule:admin_only - delete_flavor_service_profile: rule:admin_only - get_flavor_service_profile: rule:regular_user - get_auto_allocated_topology: rule:admin_or_owner - create_trunk: rule:regular_user - get_trunk: rule:admin_or_owner - delete_trunk: rule:admin_or_owner - get_subports: '' - add_subports: rule:admin_or_owner - remove_subports: rule:admin_or_owner + policy: {} api_audit_map: DEFAULT: target_endpoint_type: None diff --git a/placement/Chart.yaml b/placement/Chart.yaml index 3e4a864b9a..312ed00d9a 100644 --- a/placement/Chart.yaml +++ b/placement/Chart.yaml @@ -16,7 +16,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Placement name: placement -version: 0.3.1 +version: 0.3.2 home: https://docs.openstack.org/placement/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Placement/OpenStack_Project_Placement_vertical.png sources: diff --git a/placement/values.yaml b/placement/values.yaml index 4456a9ecb2..ff33660c6c 100644 --- a/placement/values.yaml +++ b/placement/values.yaml @@ -73,44 +73,7 @@ conf: # - status a2enmod: null a2dismod: null - policy: - "context_is_admin": "role:admin" - "admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s" - "default": "rule:admin_or_owner" - "admin_api": "role:admin" - "placement:resource_providers:list": "rule:admin_api" - "placement:resource_providers:create": "rule:admin_api" - "placement:resource_providers:show": "rule:admin_api" - "placement:resource_providers:update": "rule:admin_api" - "placement:resource_providers:delete": "rule:admin_api" - "placement:resource_classes:list": "rule:admin_api" - "placement:resource_classes:create": "rule:admin_api" - "placement:resource_classes:show": "rule:admin_api" - "placement:resource_classes:update": "rule:admin_api" - "placement:resource_classes:delete": "rule:admin_api" - "placement:resource_providers:inventories:list": "rule:admin_api" - "placement:resource_providers:inventories:create": "rule:admin_api" - "placement:resource_providers:inventories:show": "rule:admin_api" - "placement:resource_providers:inventories:update": "rule:admin_api" - "placement:resource_providers:inventories:delete": "rule:admin_api" - "placement:resource_providers:aggregates:list": "rule:admin_api" - "placement:resource_providers:aggregates:update": "rule:admin_api" - "placement:resource_providers:usages": "rule:admin_api" - "placement:usages": "rule:admin_api" - "placement:traits:list": "rule:admin_api" - "placement:traits:show": "rule:admin_api" - "placement:traits:update": "rule:admin_api" - "placement:traits:delete": "rule:admin_api" - "placement:resource_providers:traits:list": "rule:admin_api" - "placement:resource_providers:traits:update": "rule:admin_api" - "placement:resource_providers:traits:delete": "rule:admin_api" - "placement:allocations:manage": "rule:admin_api" - "placement:allocations:list": "rule:admin_api" - "placement:allocations:update": "rule:admin_api" - "placement:allocations:delete": "rule:admin_api" - "placement:resource_providers:allocations:list": "rule:admin_api" - "placement:allocation_candidates:list": "rule:admin_api" - "placement:reshaper:reshape": "rule:admin_api" + policy: {} placement: DEFAULT: debug: false diff --git a/releasenotes/notes/aodh.yaml b/releasenotes/notes/aodh.yaml index c47f5737b2..3ac5191008 100644 --- a/releasenotes/notes/aodh.yaml +++ b/releasenotes/notes/aodh.yaml @@ -8,4 +8,5 @@ aodh: - 0.2.3 Enable taint toleration for Openstack services - 0.2.4 Migrated CronJob resource to batch/v1 API version & PodDisruptionBudget to policy/v1 - 0.2.5 Added OCI registry authentication + - 0.2.6 Remove default policy rules ... diff --git a/releasenotes/notes/ceilometer.yaml b/releasenotes/notes/ceilometer.yaml index 4b0ee540dd..8c0d112ecd 100644 --- a/releasenotes/notes/ceilometer.yaml +++ b/releasenotes/notes/ceilometer.yaml @@ -9,4 +9,5 @@ ceilometer: - 0.2.4 Update default image values to Wallaby - 0.2.5 Migrated PodDisruptionBudget resource to policy/v1 API version - 0.2.6 Added OCI registry authentication + - 0.2.7 Remove default policy rules ... diff --git a/releasenotes/notes/cinder.yaml b/releasenotes/notes/cinder.yaml index ed15dd28b2..de26fd54f7 100644 --- a/releasenotes/notes/cinder.yaml +++ b/releasenotes/notes/cinder.yaml @@ -51,4 +51,5 @@ cinder: - 0.2.32 Revert "Remove fixed node name from default values and add service cleaner cronjob" - 0.3.0 Remove support for Train and Ussuri - 0.3.1 Change ceph-config-helper image tag + - 0.3.2 Remove default policy rules ... diff --git a/releasenotes/notes/designate.yaml b/releasenotes/notes/designate.yaml index 459ac59e3a..d0610d6f9b 100644 --- a/releasenotes/notes/designate.yaml +++ b/releasenotes/notes/designate.yaml @@ -11,4 +11,5 @@ designate: - 0.2.5 Migrated PodDisruptionBudget resource to policy/v1 API version - 0.2.6 Added OCI registry authentication - 0.2.7 Use HTTP probe instead of TCP probe + - 0.2.8 Remove default policy rules ... diff --git a/releasenotes/notes/glance.yaml b/releasenotes/notes/glance.yaml index 6be540f5c8..6998bff3ab 100644 --- a/releasenotes/notes/glance.yaml +++ b/releasenotes/notes/glance.yaml @@ -34,4 +34,5 @@ glance: - 0.3.11 Use HTTP probe instead of TCP probe - 0.3.12 Add support for using Cinder as backend - 0.4.0 Remove support for Train and Ussuri + - 0.4.1 Remove default policy rules ... diff --git a/releasenotes/notes/heat.yaml b/releasenotes/notes/heat.yaml index 2db5812beb..540b2b3d04 100644 --- a/releasenotes/notes/heat.yaml +++ b/releasenotes/notes/heat.yaml @@ -26,4 +26,5 @@ heat: - 0.2.17 Use HTTP probe instead of TCP probe - 0.2.18 Change hook weight for bootstrap job - 0.3.0 Remove support for Train and Ussuri + - 0.3.1 Remove default policy rules ... diff --git a/releasenotes/notes/magnum.yaml b/releasenotes/notes/magnum.yaml index 2da90ade18..f93bdf3c27 100644 --- a/releasenotes/notes/magnum.yaml +++ b/releasenotes/notes/magnum.yaml @@ -11,4 +11,5 @@ magnum: - 0.2.5 Update default image values to wallaby - 0.2.6 Migrated PodDisruptionBudget resource to policy/v1 API version - 0.2.7 Added OCI registry authentication + - 0.2.8 Remove default policy rules ... diff --git a/releasenotes/notes/mistral.yaml b/releasenotes/notes/mistral.yaml index 134139075b..99af32440a 100644 --- a/releasenotes/notes/mistral.yaml +++ b/releasenotes/notes/mistral.yaml @@ -10,4 +10,5 @@ mistral: - 0.2.4 Migrated PodDisruptionBudget resource to policy/v1 API version - 0.2.5 Added OCI registry authentication - 0.2.6 Use HTTP probe instead of TCP probe + - 0.2.7 Remove default policy rules ... diff --git a/releasenotes/notes/neutron.yaml b/releasenotes/notes/neutron.yaml index da387333a4..3eaea36069 100644 --- a/releasenotes/notes/neutron.yaml +++ b/releasenotes/notes/neutron.yaml @@ -42,4 +42,5 @@ neutron: - 0.2.26 Use HTTP probe instead of TCP probe - 0.2.27 Distinguish between port number of internal endpoint and binding port number - 0.3.0 Remove support for Train and Ussuri + - 0.3.1 Remove default policy rules ... diff --git a/releasenotes/notes/placement.yaml b/releasenotes/notes/placement.yaml index cdd2ce37c2..8c604c27e2 100644 --- a/releasenotes/notes/placement.yaml +++ b/releasenotes/notes/placement.yaml @@ -24,4 +24,5 @@ placement: - 0.2.13 Support TLS endpoints - 0.3.0 Remove placement-migrate - 0.3.1 Remove support for Train and Ussuri + - 0.3.2 Remove default policy rules ... diff --git a/releasenotes/notes/senlin.yaml b/releasenotes/notes/senlin.yaml index 83a63cae4f..d5d64d20a6 100644 --- a/releasenotes/notes/senlin.yaml +++ b/releasenotes/notes/senlin.yaml @@ -10,4 +10,5 @@ senlin: - 0.2.5 Migrated CronJob resource to batch/v1 API version & PodDisruptionBudget to policy/v1 - 0.2.6 Add helm.sh/hook annotations for Jobs - 0.2.7 Added OCI registry authentication + - 0.2.8 Remove default policy rules ... diff --git a/senlin/Chart.yaml b/senlin/Chart.yaml index a7a71e0aad..b9c4e8b62c 100644 --- a/senlin/Chart.yaml +++ b/senlin/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Senlin name: senlin -version: 0.2.7 +version: 0.2.8 home: https://docs.openstack.org/senlin/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Senlin/OpenStack_Project_Senlin_vertical.png sources: diff --git a/senlin/values.yaml b/senlin/values.yaml index a0fcb54587..5bd7f45c9a 100644 --- a/senlin/values.yaml +++ b/senlin/values.yaml @@ -123,53 +123,7 @@ conf: senlin.filter_factory: senlin.api.middleware:webhook_filter filter:authtoken: paste.filter_factory: keystonemiddleware.auth_token:filter_factory - policy: - context_is_admin: role:admin - deny_everybody: "!" - build_info:build_info: '' - profile_types:index: '' - profile_types:get: '' - policy_types:index: '' - policy_types:get: '' - clusters:index: '' - clusters:create: '' - clusters:delete: '' - clusters:get: '' - clusters:action: '' - clusters:update: '' - clusters:collect: '' - profiles:index: '' - profiles:create: '' - profiles:get: '' - profiles:delete: '' - profiles:update: '' - profiles:validate: '' - nodes:index: '' - nodes:create: '' - nodes:get: '' - nodes:action: '' - nodes:update: '' - nodes:delete: '' - policies:index: '' - policies:create: '' - policies:get: '' - policies:update: '' - policies:delete: '' - policies:validate: '' - cluster_policies:index: '' - cluster_policies:attach: '' - cluster_policies:detach: '' - cluster_policies:update: '' - cluster_policies:get: '' - receivers:index: '' - receivers:create: '' - receivers:get: '' - receivers:delete: '' - actions:index: '' - actions:get: '' - events:index: '' - events:get: '' - webhooks:trigger: '' + policy: {} senlin: DEFAULT: log_config_append: /etc/senlin/logging.conf